Before you activate fully managed Flink, your account must be assigned the system default role AliyunStreamAsiDefaultRole. This topic describes the two methods to assign the system default role AliyunStreamAsiDefaultRole to an account.

Background information

Fully managed Flink can call services, such as Virtual Private Cloud (VPC), Elastic Compute Service (ECS), Server Load Balancer (SLB), and Application Real-Time Monitoring Service (ARMS), to start the components of fully managed Flink only after your account is assigned the AliyunStreamAsiDefaultRole role.

Automated authorization

In most cases, you are required to perform automated authorization when you purchase fully managed Flink for the first time.

  1. Log on to the Realtime Compute for Apache Flink console.
  2. In the Fully Managed Flink section, click Purchase.
  3. On the Authorization Request page, click Authorize in RAM. Authorize
  4. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy in the lower part of the page. AliyunStreamAsiDefaultRole
    Note By default, the AliyunStreamAsiDefaultRole role is selected.

Manual authorization (method 1)

If you delete the AliyunStreamAsiDefaultRole role or modify the authorization policy, fully managed Flink becomes unavailable. In this case, you can perform the following steps to perform authorization again.

  1. Create a role.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Roles.
    3. On the Roles page, click Create Role.
    4. In the Create Role pane, select a trusted entity and click Next.
      The following trusted entities are supported:
      • Alibaba Cloud Account: A RAM user of a trusted Alibaba Cloud account can access your cloud resources by using a RAM role. You can select your current Alibaba Cloud account or another account as a trusted entity.
      • Alibaba Cloud Service: A trusted Alibaba Cloud service can access your cloud resources by using a RAM role.
      • IdP: The identity provider (IdP) allows you to log on to the Alibaba Cloud Management Console from your user account system by configuring single sign-on (SSO). This feature meets the requirements for unified authentication.

      For more information, see Create a RAM role for a trusted Alibaba Cloud account, Create a RAM role for a trusted Alibaba Cloud service, or Create a RAM role for a trusted IdP.

    5. Enter the role information and click OK.
    Note The role name is AliyunStreamAsiDefaultRole. If this role exists, you do not need to create this role again.
  2. Add an authorization policy.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Roles.
    3. On the Roles page, find the AliyunStreamAsiDefaultRole role and click Input and Attach in the Actions column.
    4. In the Add Permissions panel, select Custom Policy and enter a policy name.
      You must attach the following policy to the AliyunStreamAsiDefaultRole role:
      • Policy 1: custom policy (AliyunStreamAsiDefaultRolePolicy0)
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": "oss:ListBuckets",
                    "Resource": "acs:oss:*:*:*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "ecs:AssociateEipAddress",
                        "ecs:AttachNetworkInterface",
                        "ecs:AuthorizeSecurityGroup",
                        "ecs:AuthorizeSecurityGroupEgress",
                        "ecs:CreateNetworkInterface",
                        "ecs:CreateNetworkInterfacePermission",
                        "ecs:CreateSecurityGroup",
                        "ecs:DeleteNetworkInterface",
                        "ecs:DeleteNetworkInterfacePermission",
                        "ecs:DeleteSecurityGroup",
                        "ecs:DescribeNetworkInterfacePermissions",
                        "ecs:DescribeNetworkInterfaces",
                        "ecs:DescribeSecurityGroupAttribute",
                        "ecs:DescribeSecurityGroupReferences",
                        "ecs:DescribeSecurityGroups",
                        "ecs:DetachNetworkInterface",
                        "ecs:JoinSecurityGroup",
                        "ecs:LeaveSecurityGroup",
                        "ecs:ModifyNetworkInterfaceAttribute",
                        "ecs:ModifySecurityGroupAttribute",
                        "ecs:ModifySecurityGroupPolicy",
                        "ecs:ModifySecurityGroupPolicy",
                        "ecs:ModifySecurityGroupRule",
                        "ecs:RevokeSecurityGroup",
                        "ecs:RevokeSecurityGroupEgress",
                        "ecs:UnassociateEipAddress"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "arms:ListDashboards"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "vpc:DescribeVpcAttribute",
                        "vpc:DescribeVpcs",
                        "vpc:DescribeVSwitchAttributes",
                        "vpc:DescribeVSwitches",
                        "vpc:DescribeRouteTableList",
                        "vpc:DescribeRouteTables",
                        "vpc:DescribeRouteEntryList",
                        "vpc:DescribeRouterInterfaceAttribute",
                        "vpc:DescribeRouterInterfaces",
                        "vpc:DescribeVRouters"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • Policy 2: custom policy (AliyunStreamAsiDefaultRolePolicy1)
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "slb:AddBackendServers",
                        "slb:AddListenerWhiteListItem",
                        "slb:AddTags",
                        "slb:AddVServerGroupBackendServers",
                        "slb:CreateLoadBalancer",
                        "slb:CreateLoadBalancerHTTPListener",
                        "slb:CreateLoadBalancerHTTPSListener",
                        "slb:CreateLoadBalancerTCPListener",
                        "slb:CreateLoadBalancerUDPListener",
                        "slb:CreateRules",
                        "slb:CreateVServerGroup",
                        "slb:DeleteLoadBalancer",
                        "slb:DeleteLoadBalancerListener",
                        "slb:DeleteRules",
                        "slb:DeleteServerCertificate",
                        "slb:DeleteVServerGroup",
                        "slb:DescribeHealthStatus",
                        "slb:DescribeListenerAccessControlAttribute",
                        "slb:DescribeLoadBalancerAttribute",
                        "slb:DescribeLoadBalancerHTTPListenerAttribute",
                        "slb:DescribeLoadBalancerHTTPListenerAttributes",
                        "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                        "slb:DescribeLoadBalancerTCPListenerAttribute",
                        "slb:DescribeLoadBalancerUDPListenerAttribute",
                        "slb:DescribeLoadBalancers",
                        "slb:DescribeRegions",
                        "slb:DescribeRules",
                        "slb:DescribeServerCertificates",
                        "slb:DescribeTags",
                        "slb:DescribeVServerGroupAttribute",
                        "slb:DescribeVServerGroups",
                        "slb:ModifyLoadBalancerInstanceSpec",
                        "slb:ModifyLoadBalancerInternetSpec",
                        "slb:ModifyLoadBalancerPayType",
                        "slb:RemoveBackendServers",
                        "slb:RemoveListenerWhiteListItem",
                        "slb:RemoveVServerGroupBackendServers",
                        "slb:SetBackendServers",
                        "slb:SetListenerAccessControlStatus",
                        "slb:SetLoadBalancerHTTPListenerAttribute",
                        "slb:SetLoadBalancerHTTPSListenerAttribute",
                        "slb:SetLoadBalancerName",
                        "slb:SetLoadBalancerStatus",
                        "slb:SetLoadBalancerTCPListenerAttribute",
                        "slb:SetLoadBalancerUDPListenerAttribute",
                        "slb:SetRule",
                        "slb:SetServerCertificateName",
                        "slb:SetVServerGroupAttribute",
                        "slb:StartLoadBalancerListener",
                        "slb:StopLoadBalancerListener",
                        "slb:UploadServerCertificate"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • Policy 3: custom policy (FlinkServerlessPolicy)
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "ram:*"
                    ],
                    "Resource": [
                        "acs:ram:*:*:domain/*",
                        "acs:ram:*:*:application/*"
                    ],
                    "Effect": "Allow"
                }
            ]
        }
    5. Click OK.
Note After the preceding role and policies are created, you can activate and use fully managed Flink.

Manual authorization (method 2)

If you delete the AliyunStreamAsiDefaultRole role or modify a policy, fully managed Flink becomes unavailable. In this case, you can perform the following steps to delete the stack of Resource Orchestration Service (ROS), RAM role, and RAM policy. Then, log on to the Realtime Compute for Apache Flink console and perform an authorization again.

  1. Delete the stack of ROS.
    1. Log on to the ROS console.
    2. In the left-side navigation pane, click Stacks.
    3. In the top navigation bar, change the region to China (Hangzhou).
    4. In the search box next to Stack Name, enter FlinkServerlessStack and enter FlinkOnAckStack. Then, click the Search icon icon.
      Note
      • FlinkServerlessStack: the name of the ROS stack of fully managed Flink
      • FlinkOnAckStack: the name of the ROS stack of Container Service for Kubernetes (ACK)
    5. Find the stack that you want to delete and click Delete in the Actions column. In the dialog box that appears, click OK.
  2. Delete a RAM role.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Roles.
    3. In the search box, enter AliyunStreamAsiDefaultRole.
    4. In the Actions column, click Delete. In the dialog box that appears, click OK.
      Note Before you can delete the role, you must click the AliyunStreamAsiDefaultRole name to go to the role details page and remove permission.
  3. Delete the RAM policies that are attached to the role.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. In the search box, enter AliyunStreamAsiDefaultRolePolicy0, AliyunStreamAsiDefaultRolePolicy1, and FlinkServerlessPolicy.
    4. In the Actions column, click Delete. In the dialog box that appears, click OK.
  4. In the Realtime Compute for Apache Flink console, perform authorization again.
    1. Log on to the Realtime Compute for Apache Flink console.
    2. In the Fully Managed Flink section, click Purchase.
    3. On the Authorization Request page, click Authorize in RAM. Authorize
    4. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy in the lower part of the page. AliyunStreamAsiDefaultRole

Permissions

The following table describes the permissions required to use fully managed Flink based on different scenarios. For more information about how to obtain these permissions, see Automated authorization, Manual authorization (method 1), or Manual authorization (method 2).

  • Permissions on ECS resources
    Before you can access the console over the Internet, you must activate Elastic IP Address (EIP) by using your Alibaba Cloud account. Before you can access resources in a VPC, you must create elastic network interfaces (ENIs) in the VPC. These ENIs are added to the dedicated security group of fully managed Flink. Therefore, fully managed Flink must have the operation permissions on the EIP, the security group, and the ENIs.
    Notice You are charged a data transfer fee for the EIP that is used for access over the Internet.
    Permission (Action) Description
    ecs:AssociateEipAddress Applies for an EIP to access fully managed Flink over the Internet.
    ecs:AttachNetworkInterface Allows fully managed Flink to bind your ENI to the resource pool of fully managed Flink.
    ecs:AuthorizeSecurityGroup Fully managed Flink creates a security group. This permission is required to add an inbound rule to the security group.
    ecs:AuthorizeSecurityGroupEgress Fully managed Flink creates a security group. This permission is required to add an outbound rule to the security group.
    ecs:CreateNetworkInterface Allows fully managed Flink to create an ENI in your VPC and allows fully managed Flink to connect to your VPC.
    ecs:CreateNetworkInterfacePermission Allows fully managed Flink to bind your ENI.
    ecs:CreateSecurityGroup Fully managed Flink creates a security group. This permission is required to create the security group.
    ecs:DeleteNetworkInterface Deletes the ENIs of the resources that are used in a task of fully managed Flink after the task is complete.
    ecs:DeleteNetworkInterfacePermission Allows fully managed Flink to unbind your ENI.
    ecs:DeleteSecurityGroup Fully managed Flink creates a security group. This permission is required to delete the security group.
    ecs:DescribeNetworkInterfacePermissions Allows you to unbind your ENI from the resource pool of fully managed Flink.
    ecs:DescribeNetworkInterfaces Allows fully managed Flink to query ENIs.
    ecs:DescribeSecurityGroupAttribute Allows fully managed Flink to query the security group rules of a security group.
    ecs:DescribeSecurityGroupReferences Allows fully managed Flink to query security groups and security group-level authorization.
    ecs:DescribeSecurityGroups Allows fully managed Flink to query basic information about the created security groups.
    ecs:DetachNetworkInterface Allows fully managed Flink to unbind your ENI from the resource pool of fully managed Flink.
    ecs:JoinSecurityGroup Allows fully managed Flink to add ENIs to the specified security group.
    ecs:LeaveSecurityGroup Allows fully managed Flink to remove ENIs from the specified security group.
    ecs:ModifyNetworkInterfaceAttribute Allows fully managed Flink to modify information about an ENI, such as the name, the description, and the security group to which the ENI belongs.
    ecs:ModifySecurityGroupAttribute Allows fully managed Flink to change the name or description of a security group.
    ecs:ModifySecurityGroupPolicy Allows fully managed Flink to modify the access control policy within the security group.
    ecs:ModifySecurityGroupRule Allows fully managed Flink to modify the descriptions of security group inbound rules.
    ecs:RevokeSecurityGroup Allows fully managed Flink to delete a security group inbound rule.
    ecs:RevokeSecurityGroupEgress Allows fully managed Flink to delete a security group outbound rule.
    ecs:UnassociateEipAddress Allows fully managed Flink to release EIPs.
  • Permissions on SLB resources
    Before you can access the console of fully managed Flink over the Internet, you must obtain the permissions to manage SLB, and then activate pay-as-you-go SLB by using your Alibaba Cloud account.
    Notice You are charged additional fees for pay-as-you-go SLB.
    Permission (Action) Description
    slb:AddBackendServers Allows fully managed Flink to change the backend of SLB.
    slb:AddListenerWhiteListItem Allows fully managed Flink to add an IP address to the access whitelist of a listener.
    slb:AddTags Allows fully managed Flink to add tags to the specified SLB instance.
    slb:AddVServerGroupBackendServers Allows fully managed Flink to add backend servers to the specified backend server group.
    slb:CreateLoadBalancer Allows fully managed Flink to create an SLB instance.
    slb:CreateLoadBalancerHTTPListener Allows fully managed Flink to create an HTTP listener.
    slb:CreateLoadBalancerHTTPSListener Allows fully managed Flink to create an HTTPS listener.
    slb:CreateLoadBalancerTCPListener Allows fully managed Flink to create a TCP listener.
    slb:CreateLoadBalancerUDPListener Allows fully managed Flink to create a UDP listener.
    slb:CreateRules Allows fully managed Flink to create routing methods for the specified HTTP or HTTPS listener.
    slb:CreateVServerGroup Allows fully managed Flink to add backend server groups and add backend servers to the specified backend server group.
    slb:DeleteLoadBalancer Allows fully managed Flink to delete an SLB instance.
    slb:DeleteLoadBalancerListener Allows fully managed Flink to delete a backend listener.
    slb:DeleteRules Allows fully managed Flink to delete the routing methods of the specified HTTP or HTTPS listener.
    slb:DeleteVServerGroup Allows fully managed Flink to delete a server group.
    slb:DescribeHealthStatus Allows fully managed Flink to query the health status of backend servers.
    slb:DescribeListenerAccessControlAttribute Allows fully managed Flink to query the whitelist configurations of the specified SLB listener.
    slb:DescribeLoadBalancerAttribute Allows fully managed Flink to query the details about the specified SLB instance.
    slb:DescribeLoadBalancerHTTPListenerAttribute Allows fully managed Flink to query the configurations of an HTTP listener.
    slb:DescribeLoadBalancerHTTPSListenerAttribute Allows fully managed Flink to query the configurations of an HTTPS listener.
    slb:DescribeLoadBalancerTCPListenerAttribute Allows fully managed Flink to query the configurations of a TCP listener.
    slb:DescribeLoadBalancerUDPListenerAttribute Allows fully managed Flink to query the configurations of a UDP listener.
    slb:DescribeLoadBalancers Allows fully managed Flink to query the created SLB instances.
    slb:DescribeRegions Allows fully managed Flink to query the regions of available SLB instances.
    slb:DescribeRules Allows fully managed Flink to query the routing methods that are configured for the specified listener.
    slb:DescribeTags Allows fully managed Flink to query the list of tags.
    slb:DescribeVServerGroupAttribute Allows fully managed Flink to query the details about a server group.
    slb:DescribeVServerGroups Allows fully managed Flink to query the list of server groups.
    slb:ModifyLoadBalancerInstanceSpec Allows fully managed Flink to modify the sample specifications of SLB.
    slb:ModifyLoadBalancerInternetSpec Allows fully managed Flink to change the metering method of an Internet-facing SLB instance. The metering method can be pay-by-data-transfer or pay-by-bandwidth.
    slb:ModifyLoadBalancerPayType Allows fully managed Flink to change the billing method of an Internet-facing SLB instance. The billing method can be pay-as-you-go or subscription.
    slb:RemoveBackendServers Allows fully managed Flink to remove backend servers.
    slb:RemoveListenerWhiteListItem Allows fully managed Flink to delete an IP address from the whitelist of a listener.
    slb:RemoveVServerGroupBackendServers Allows fully managed Flink to remove backend servers from the specified backend server group.
    slb:SetBackendServers Allows fully managed Flink to specify the backend server weight.
    slb:SetListenerAccessControlStatus Allows fully managed Flink to specify whether to enable the whitelist of the specified listener for access control.
    slb:SetLoadBalancerHTTPListenerAttribute Allows fully managed Flink to modify the configurations of an HTTP listener.
    slb:SetLoadBalancerHTTPSListenerAttribute Allows fully managed Flink to modify the configurations of an HTTPS listener.
    slb:SetLoadBalancerName Allows fully managed Flink to specify the name of an SLB instance.
    slb:SetLoadBalancerStatus Allows fully managed Flink to specify the status of an SLB instance.
    slb:SetLoadBalancerTCPListenerAttribute Allows fully managed Flink to modify the configurations of a TCP listener.
    slb:SetLoadBalancerUDPListenerAttribute Allows fully managed Flink to modify the configurations of a UDP listener.
    slb:SetRule Allows fully managed Flink to modify the routing methods of a vServer.
    slb:SetServerCertificateName Allows fully managed Flink to specify the name of a server certificate.
    slb:SetVServerGroupAttribute Allows fully managed Flink to modify the configurations of a vServer group.
    slb:StartLoadBalancerListener Allows fully managed Flink to start the specified listener.
    slb:StopLoadBalancerListener Allows fully managed Flink to stop the specified listener.
  • Permissions on OSS resources
    Before you can query OSS buckets, you must obtain the permissions on OSS resources.
    Permission (Action) Description
    oss:ListBuckets Allows fully managed Flink to query OSS buckets.
  • Permissions on ARMS resources
    ARMS is activated for you. The metrics of fully managed Flink are stored in ARMS.
    Notice You can store the metrics of fully managed Flink into ARMS free of charge.
    Permission (Action) Description
    arms:ListDashboards Allows fully managed Flink to query ARMS dashboards.
  • Permissions on VPC resources
    When you activate fully managed Flink, the DESCRIBE permission on resources in the VPC is required.
    Permission (Action) Description
    vpc:DescribeVpcAttribute Allows fully managed Flink to query the configuration information about the specified VPC.
    vpc:DescribeVpcs Allows fully managed Flink to query the created VPCs.
    vpc:DescribeVSwitchAttributes Allows fully managed Flink to query information about the specified vSwitch.
    vpc:DescribeVSwitches Allows fully managed Flink to query the created vSwitches.
    vpc:DescribeRouteTableList Allows fully managed Flink to query the list of route tables.
    vpc:DescribeRouteTables Allows fully managed Flink to query the specified route table.
    vpc:DescribeRouteEntryList Allows fully managed Flink to query route entries in a route table.
    vpc:DescribeRouterInterfaceAttribute Allows fully managed Flink to query the configurations of the router interface.
    vpc:DescribeRouterInterfaces Allows fully managed Flink to query router interfaces.
    vpc:DescribeVRouters Allows fully managed Flink to query vRouters in the specified region.
  • Permissions on RAM resources
    When you activate fully managed Flink, you must have permissions on RAM resources to configure the RAM resources.
    Permission (Action) Description
    ram:* Allows you to add, remove, modify, and query the RAM resources domain and application.